On 7 November 2014 the Polish Parliament passed the Act on the Facilitation of Business Activity which substantially amends the existing Act on Personal Data Protection. As we previously reported, this new Act requires an administrator for information security to be given an independent position within the data controller’s organization. Additionally, the new Act introduces provisions facilitating the transfer of personal data to countries outside the European Economic Area (further implementing provisions from Directive 95/46/EC and the proposed draft General Data Protection Regulation). The new law will come into force on 1 January 2015. Continue Reading
On December 2, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. (ACMHS) for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” Continue Reading
On December 3, 2014, the Federal Trade Commission announced two administrative settlements with a medical Billing Provider, PaymentsMD, LLC, and its former CEO, Michael Hughes, for allegedly misleading thousands of consumers who signed up for an online billing portal by failing to adequately disclose that the company would seek detailed medical information from pharmacies, medical labs, and insurance companies. Continue Reading
The Court of Justice of the European Union (CJEU) has today published its decision in the case of Ryneš and has found that domestic CCTV which films a public area cannot be exempt from the obligations contained in the EU Data Protection Directive by virtue of the “household exemption”. Continue Reading
On December 5, the National Institute of Standards and Technology (NIST) issued an update regarding its Framework for Improving Critical Infrastructure Cybersecurity (Framework). Since its release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs. NIST’s update addresses industry input received from an October workshop and an August Request for Information. It also describes NIST’s plans to support future use of the Framework. Continue Reading
On November 12, 2014, the CNIL issued a new compliance pack for the insurance sector drafted in collaboration with the sector trade associations.
Compliance packs are a new tool that the CNIL has been promoting for the past few months as an operational response to the needs of professionals concerning the application of the French data protection law.
The CNIL has previously published compliance packs about electric “smart meters” (June 2014) and about social housing (October 2014). Two new compliance packs are already announced to be published soon: one about banking activities and one about social services. Continue Reading
Addressing the French Parliamentary Commission on Digital Rights, CNIL and Article 29 Working Party Chair Isabelle Falque-Pierrotin commented on the current state of negotiations of the proposed European General Data Protection Regulation, warning that excessive reliance on a risk-based approach could undermine fundamental rights. A risk analysis is useful as a guide to allocate resources, but should not affect the underlying rights of the data subject, she said. To illustrate her point, Falque-Pierrotin used the analogy of a home owner who lives in a part of the city where burglaries are frequent. The risk-based approach means that the home owner will buy more locks for doors, and that police authorities may devote more resources to patrolling. It does not mean, however, that home owners have different rights depending on where they live. Falque-Pierrotin is concerned that the current negotiations on the risk-based approach may confuse these two concepts, leading to a situation where individuals’ rights are reduced or ignored for low-risk processing. Continue Reading
This Wednesday December 3rd, at the close of the IAPP Practical Privacy Series event on the FTC and Consumer Privacy at the FHI 360 Conference Center in D.C., Hogan Lovells partner Christopher Wolf will be moderating a panel hosted by the Future of Privacy Forum and the International Association of Privacy Professionals entitled: “Device Encryption: Too Much Privacy for Consumers?“ The panel is free and open to the public.
Apple and Google have turned on “whole device encryption” for their new devices. What does this mean for consumers? What new protections are added? What impact does this have on hackers or others who may see to access the data on a cell phone? What does it mean for law enforcement? Continue Reading
As the keynote speaker for the Winnik Forum, U.S. Federal Trade Commission (FTC) Commissioner Maureen Ohlhausen sat down with Christopher Wolf, Co-Director of Hogan Lovells’ Privacy and Information Management Practice to discuss the evolving role of the FTC as we enter an era of “Big Data” and the “Internet of Things.” Commissioner Ohlhausen offered her views on a flexible approach to protecting consumer data privacy as connected devices continue to evolve. As opportunities arise for additional potential uses of collected data, Commissioner Ohlhausen said organizations and policymakers should consider a “harms-based approach” in which new uses of data would be allowed as long as they do not cause consumer harm and as long as they remain consistent with earlier promises that organizations have made to consumers. The key for Commissioner Ohlhausen is that companies should disclose what data is being collected and keep the promises that they make to consumers about the collection and uses of that data. Continue Reading
During a November 13, 2014 hearing before the Digital Rights Commission of the French National Assembly, Jean-Marie Delarue, the head of France’s oversight Commission for National Security Interceptions (CNCIS) said that France’s 1991 law on national security wiretaps needed to be updated to better protect individuals. Currently, the CNCIS is consulted by the Prime Minister’s office before the implementation of national security wiretaps. According to Mr. Delarue, this system works well for wiretaps. But the collection of metadata falls largely outside this procedure. According to Delarue, a major overhaul of the 1991 law on national security wiretaps is needed to catch up with modern intelligence gathering techniques and to better reflect the case law of the European Court of Human Rights. According to Delarue, justifications for government invasion of privacy need to be narrowly defined by law. Broad justifications such as “fundamental interests of the nation” are too vague to withstand scrutiny under European constitutional principles. Continue Reading